-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1487-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff February 08, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : libexif Vulnerability : several Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2007-2645 CVE-2007-6351 CVE-2007-6352 Several vulnerabilities have been discovered in the EXIF parsing code of the libexif library, which can lead to denial of service or the xecution of arbitrary code if a user is tricked into opening a malformed image. CVE-2007-2645 Victor Stinner discovered an integer overflow, which may result in denial of service or potentially the execution of arbitrary code. CVE-2007-6351 Meder Kydyraliev discovered an infinite loop, which may result in denial of service. CVE-2007-6352 Victor Stinner discovered an integer overflow, which may result in denial of service or potentially the execution of arbitrary code. This update also fixes two potential NULL pointer deferences. For the stable distribution (etch), these problems have been fixed in version 0.6.13-5etch2. For the old stable distribution (sarge), these problems have been fixed in 0.6.9-6sarge2. We recommend that you upgrade your libexif packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - ---------------------- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.9.orig.tar.gz Size/MD5 checksum: 520956 0aa142335a8a00c32bb6c7dbfe95fc24 http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.9-6sarge2.dsc Size/MD5 checksum: 591 1ab880b25e1e3ba979d2b6441a3367d5 http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.9-6sarge2.diff.gz Size/MD5 checksum: 5162 47e515e0688cd1c661456df1b5d77601 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_alpha.deb Size/MD5 checksum: 87534 d7d3df515250467671cbc2d9f158269e http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_alpha.deb Size/MD5 checksum: 87554 ee4573f7453ca96efda9cd094d106e30 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_amd64.deb Size/MD5 checksum: 67756 af682500abe0346627ba15e941fa0b1a http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_amd64.deb Size/MD5 checksum: 82068 37e1b283512138577147b1acb9717ed7 arm architecture (ARM) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_arm.deb Size/MD5 checksum: 64146 62d0c51dbb3339746066bb04d787af45 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_arm.deb Size/MD5 checksum: 77004 0d1a7247d251ca72ff84e4da7dcca53b i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_i386.deb Size/MD5 checksum: 81194 bed6762757bd00b262a0829419cd6634 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_i386.deb Size/MD5 checksum: 66828 8cc90864578b2854bc71255638e47fb5 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_ia64.deb Size/MD5 checksum: 84318 4a59f435077564e89aca96c95d026a10 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_ia64.deb Size/MD5 checksum: 95484 e4ac3f25989bcfc22bc87b1e0d95772e m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_m68k.deb Size/MD5 checksum: 58050 7fef4665ccd47cc42632a329500e70a5 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_m68k.deb Size/MD5 checksum: 79196 46342bf50631c9d64ed103511b1b893c mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_mips.deb Size/MD5 checksum: 69282 708a8d5c33c9a55a4ab4756710839206 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_mips.deb Size/MD5 checksum: 77082 97212d583943be6d83afcec731e27ac1 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_mipsel.deb Size/MD5 checksum: 67646 c857ec6882ed8cbb47e051a90df7ca96 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_mipsel.deb Size/MD5 checksum: 77138 47e7a22eb17e671e2ccb500a775a85d1 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_powerpc.deb Size/MD5 checksum: 81332 72847874c73086de64a25d03f48a2780 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_powerpc.deb Size/MD5 checksum: 69112 c4584d2f07fbdb932c85e2633ca9b2a8 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_s390.deb Size/MD5 checksum: 82268 3f308fb9b59f68ffdbf7390e76f570c2 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_s390.deb Size/MD5 checksum: 69724 21b6aa80c1a1c1a1b3e8bcd9165c8c43 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.9-6sarge2_sparc.deb Size/MD5 checksum: 66296 ee6bceace68322f90e171c89c441e4c6 http://security.debian.org/pool/updates/main/libe/libexif/libexif10_0.6.9-6sarge2_sparc.deb Size/MD5 checksum: 80280 4e9b6787b57c526192bdc2de9d5d6a7f Debian 4.0 (stable) - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.13.orig.tar.gz Size/MD5 checksum: 727418 e5ad93c170bfb4fed6dc3e1c7a7948cb http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.13-5etch2.dsc Size/MD5 checksum: 611 31d21b75dede8ab7357d68dc10f31b03 http://security.debian.org/pool/updates/main/libe/libexif/libexif_0.6.13-5etch2.diff.gz Size/MD5 checksum: 9821 99a0a91ef86facebe77eb309e84187ee alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_alpha.deb Size/MD5 checksum: 148400 569ffd818b70ff416f2b50033c504a69 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_alpha.deb Size/MD5 checksum: 1068446 66c630fb722856971a824fc00e7ae0f5 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_amd64.deb Size/MD5 checksum: 1044250 b3c5a88cb260655fc65d2ccbd1e2e25b http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_amd64.deb Size/MD5 checksum: 143178 f76de0764808bf3e2c82867954e2a214 arm architecture (ARM) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_arm.deb Size/MD5 checksum: 136448 0f04c8ec7d86dd7c5e2d104cd0a8592a http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_arm.deb Size/MD5 checksum: 1047204 0b0a09e307bd48dd38ea7be61901eec6 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_i386.deb Size/MD5 checksum: 140088 74f55a40478fb3735293b8b20a9b29b9 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_i386.deb Size/MD5 checksum: 1008258 98478f9f44a8121aaa68173eabb9d045 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_ia64.deb Size/MD5 checksum: 159480 f35f6ad4c85c7d0b2898a918fd452081 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_ia64.deb Size/MD5 checksum: 1028756 add2a11a37f72fc8e00db36acc7aba96 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_mips.deb Size/MD5 checksum: 1043420 a2a95479dea713b082fef5c1b5309ea7 http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_mips.deb Size/MD5 checksum: 137352 54a048d4d4d5040a026887e93dadb61d mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_mipsel.deb Size/MD5 checksum: 136158 f713af175516742b0cda4422b85810ad http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_mipsel.deb Size/MD5 checksum: 1008294 bc6a4b93282d64d33f1d26eee59c5bb4 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_powerpc.deb Size/MD5 checksum: 138282 cb57a663e790a4155635009c8948eeca http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_powerpc.deb Size/MD5 checksum: 1005588 26264ee184bad0af01f7861e3a5db6e7 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_s390.deb Size/MD5 checksum: 143596 f4246c73e1d35cc56bc3fca55ec7675f http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_s390.deb Size/MD5 checksum: 1007802 df0e068ffdb783f1da5418e518d623ce sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libe/libexif/libexif12_0.6.13-5etch2_sparc.deb Size/MD5 checksum: 138354 d27c15349891f23956642b19733da994 http://security.debian.org/pool/updates/main/libe/libexif/libexif-dev_0.6.13-5etch2_sparc.deb Size/MD5 checksum: 1002854 c44f9f239a4e13da27ccb78a42d54df3 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHrJA5Xm3vHE4uyloRAkxeAJwIb/NrMfNSD4vcRt2FXSSnRNmJFwCgwrgy syCcOf1SWUb3hogEG0nUsiw= =N7HU -----END PGP SIGNATURE-----